Cannot establish NTLM Authentication channel

Most of the time, people have this issue, while not wanting Kerberos/NTLM in the first place, so the best way is to disable it by disable SSO for all zones. 

Just to be sure: You want to use Kerberos on SFOS for Authentication? Could you give us some background, why you choose Kerberos over Heartbeat User ID or STAS? What are you looking forward to do with Kerberos? 

Please read the last paragraph above...

I did, but it is not clear, why you choose Kerberos. 

This is enabled by default in every firewall. I did not "choose" it.

From what I gather, AD SSO is unnecessary when using Endpoint with Heartbeat to identify users.  But nowhere in Sophos' documentation do I see this specific statement.

ADSSO is basically Kerberos/NTLM. And it should be disabled per Default: https://docs.sophos.com/nsg/sophos-firewall/20.0/help/en-us/webhelp/onlinehelp/AdministratorHelp/Administration/DeviceAccess/DeviceAccessLocalServiceACL/index.html

Maybe someone activated it. But you can safely disable it on all zones. 
Heartbeat / STAS is using the "Clients" Option under Device Access. 

Thank you LuCar Toni . 

I found that someone set our firewall group this way and it's been that way for longer than I've been with this company.  I've updated the group to remove AD SSO so we don't have to keep getting this error.  I've seen it across all firewalls and have simply ignored it but with customers receiving firewall reports and this error in there repeatedly, I wanted to get too the root of the issue.

Glad to know that "Client" is what endpoint Heartbeat is using. I thought this would be the Authentication client that I have never implemented in the last 7 years of working with Sophos.